b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                  Inadequate Security Controls Over Routers\n                      and Switches Jeopardize Sensitive\n                            Taxpayer Information\n\n\n\n                                          March 26, 2008\n\n                              Reference Number: 2008-20-071\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           March 26, 2008\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Inadequate Security Controls Over Routers and\n                             Switches Jeopardize Sensitive Taxpayer Information\n                             (Audit # 200720027)\n\n This report represents the results of our review to determine whether controls were sufficient to\n detect and deter unauthorized use of Internal Revenue Service (IRS) routers and switches, two\n key components used to direct network traffic. This review was included in the Treasury\n Inspector General for Tax Administration Fiscal Year 2007 Annual Audit Plan and was part of\n the Information Systems Programs business unit\xe2\x80\x99s statutory requirements to annually review the\n adequacy and security of IRS technology.\n\n Impact on the Taxpayer\n Because the IRS sends sensitive taxpayer and administrative information across its networks,\n routers on the networks must have sufficient security controls to deter and detect unauthorized\n use. Access controls for IRS routers were not adequate, and reviews to monitor security\n configuration changes were not conducted to identify inappropriate use. A disgruntled\n employee, contractor, or hacker could reconfigure routers and switches to disrupt computer\n operations and steal taxpayer information in a number of ways, including diverting information\n to unauthorized systems.\n\n Synopsis\n The IRS Enterprise Networks organization is responsible for installing, operating, and\n maintaining routers and switches for a majority of the IRS. Within the Enterprise Networks\n organization, the Network Management Control Center serves as the Program Management\n Office and central support center for the IRS network environment throughout the United States.\n\x0c                         Inadequate Security Controls Over Routers and Switches\n                               Jeopardize Sensitive Taxpayer Information\n\n\n\nIts responsibilities include authorizing and authenticating persons accessing routers and switches,\nmonitoring activity on the network, and ensuring that routers are properly configured.\nThe IRS uses the Terminal Access Controller Access Control System (TACACS+) to administer\nand configure routers and switches. Users of the TACACS+ must be authorized by managers.\nThe IRS had authorized 374 accounts for employees and contractors that could be used to access\nrouters and switches to perform system administration duties. Of these, 141 (38 percent) did not\nhave proper authorization to access the TACACS+. Authorizations for 86 of the 141 employee\nand contractor accounts had been provided on some prior date, but the authorizations had expired\nat the time of our review. However, we could not find that the other 55 employee and contractor\naccounts had ever been authorized to access the System. We are particularly concerned that\n27 of the 55 employees and contractors had accessed the routers and switches to change security\nconfigurations.\nTo authenticate users, the TACACS+ uses a security application that requires users to enter an\naccount name and password. System administrators had circumvented this control by setting up\n34 unauthorized accounts that appear to be shared-user accounts. Any person who knew the\npasswords to these accounts could change configurations without accountability and with little\nchance of detection. For this reason, the IRS requires that shared accounts be used only on a\nlimited basis and that they be subjected to special authorization controls. However, during Fiscal\nYear 2007, 4.4 million (more than 84 percent) of the 5.2 million accesses to the TACACS+ were\nmade by the 34 user accounts. None of the accounts were properly authorized.\nIn addition, the review of audit trails1 is necessary to detect potential security events such as\nhacking attempts, virus or worm infections, and attempts to change or alter information. The\nModernization and Information Technology Services organization Cybersecurity office has the\nresponsibility to review audit trail information from the TACACS+, routers, and switches at least\nweekly. In addition, the Cybersecurity office must review audit trail logs after any security\nincident. Analysis of audit trail events can also allow the administrators and the Network\nManagement Control Center to identify nonstandard configurations that could lead to security\nvulnerabilities or disruptions to operations.\nAudit trail log reviews were not being conducted by the Cybersecurity office, and only a limited\npercentage of the audit trails for the IRS routers and switches were being reviewed. In addition,\nsystem administrators were not following IRS procedures that require an authoritative, IRS-wide\ntime server for the purpose of synchronizing the system clocks of IRS systems. Correct time\nzone settings are critical during audit trail reviews for detecting inappropriate traffic across the\n\n\n\n1\n  An audit trail is a chronological record of activities that allows for the reconstruction, review, and examination of a\ntransaction from inception to final results. Audit trails can be used to detect unauthorized accesses to computer\nsystems.\n                                                                                                                        2\n\x0c                     Inadequate Security Controls Over Routers and Switches\n                           Jeopardize Sensitive Taxpayer Information\n\n\n\nIRS network and for establishing a timeline in case of a multifaceted attack on the IRS network.\nThe time of attack can also be critical evidence in criminal proceedings.\n\nRecommendations\nWe recommended the Chief Information Officer clarify responsibilities for reconciling user\naccounts on the TACACS+ with the system used by the IRS to authorize employee access,\nimprove the testing of authentication controls on the TACACS+ to identify any configuration\nweaknesses, ensure that the TACACS+ is configured to prevent employees and contractors from\ngaining access to the routers and switches if they have not used the System within 90 calendar\ndays, and eliminate unnecessary shared accounts and ensure that each account is properly\nauthorized. In addition, the Chief Information Officer should ensure that the Enterprise\nNetworks organization provides the audit trails for the TACACS+, routers, and switches to the\nCybersecurity office for periodic reviews; audit trail information is filtered for effective analysis;\nand all routers and switches are configured to the same time zone.\n\nResponse\nIRS management agreed with six of our recommendations and is evaluating implementation of\nthe seventh. The IRS will begin monthly reconciliation of the TACACS+ user accounts with the\nsystem used to authorize employee access, implement testing of the authentication controls on\nthe TACACS+, ensure that employee user accounts are locked after 45 calendar days of\ninactivity and removed after 90 calendar days of inactivity, and ensure that no unauthorized or\nunnecessary shared accounts exist on the TACACS+. In addition, audit log information will\ncontinue to be filtered in accordance with router and switch guidance, and the Enterprise\nNetworks organization will ensure that the Cybersecurity organization has access to all audit log\ninformation for review and analysis. The IRS will evaluate our recommendation to configure all\nrouters and switches to the same time zone to determine whether this approach is an appropriate\nenterprise solution. We will follow up on the adequacy of these corrective actions in future\naudits. Management\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                                     3\n\x0c                            Inadequate Security Controls Over Routers and Switches\n                                  Jeopardize Sensitive Taxpayer Information\n\n\n\n\n                                              Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Access Controls Over Router and Switch Administration Were\n          Not Effective to Control Unauthorized Use..................................................Page 3\n                    Recommendations 1 and 2: ................................................Page 4\n\n                    Recommendations 3 and 4: ................................................Page 5\n\n          Audit Trails Are Not Being Reviewed to Identify Questionable\n          Activity .........................................................................................................Page 5\n                    Recommendations 5 through 7:...........................................Page 7\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 8\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 10\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 11\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 12\n\x0c          Inadequate Security Controls Over Routers and Switches\n                Jeopardize Sensitive Taxpayer Information\n\n\n\n\n                      Abbreviations\n\nIRS             Internal Revenue Service\nTACACS+         Terminal Access Controller Access Control System\n\x0c                        Inadequate Security Controls Over Routers and Switches\n                              Jeopardize Sensitive Taxpayer Information\n\n\n\n\n                                             Background\n\nEvery Internal Revenue Service (IRS) site, whether it is a Computing Center,1 campus,2 or small\nfield office, has a local area network interconnecting computers at the site and providing access\nto the other IRS networks nationwide. IRS data networks rely on thousands of routers and data\nswitches to ensure data traffic is routed and managed effectively.\nRouters are devices that determine the proper path for data to travel between different networks.\nThey connect networks and can also direct traffic to the Internet. Routers are now available in\nmany types, although all are fundamentally doing the same job. A modern router is essentially a\nsmall network computer with an operating system, a memory, and a small processor that does all\nof the work in a router. The main manufacturer of commercial-scale routers is Cisco.\nIn a network of any real complexity, routers will not send data directly to the destination.\nInstead, information will pass through a series of routers, each getting information one step\ncloser to the destination, until it reaches the router that connects to the final destination. The\nterm \xe2\x80\x9cswitch\xe2\x80\x9d is often used interchangeably with router, but a switch is really a network hub with\nswitched ports that might or might not also perform additional routing functions.\nBecause the IRS sends sensitive taxpayer and administrative information across its networks,\nrouters must have sufficient security controls to deter and detect unauthorized use. Disgruntled\nemployees, contractors, and hackers who gain access to routers could steal sensitive information\nand cause denials of service leading to lost productivity. A hacker accessing a poorly configured\nrouter could gain full control of the IRS network. For example, an unscrupulous person could\ndivert data traffic through a third-party system on its way to the intended destination.\nDenials of service can also be costly for organizations. For example, on January 23, 2001,\nMicrosoft\xe2\x80\x99s web sites could not be accessed for nearly 23 hours. The next day, Microsoft\nattributed the failure to a configuration change to the routers on its network. In 2007, an article\nby Netcordia3 stated that Gartner4 estimated the average hourly cost of network downtime to be\n$42,000. The average company suffered 87 hours of network downtime annually, equaling\n$3.65 million in lost revenue.\n\n\n\n1\n  IRS Computing Centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n2\n  IRS campuses receive, process, and archive paper and electronic tax and information returns; issue taxpayer\nnotices; process refunds; answer taxpayers\xe2\x80\x99 tax law/account inquiries; and provide taxpayers with postfiling services\nrelated to collection and examination cases.\n3\n  Network Downtime, the Configuration Errors, Netcordia Whitepapers, 2007.\n4\n  Gartner, Inc. is a leading information technology research and advisory company.\n                                                                                                             Page 1\n\x0c                       Inadequate Security Controls Over Routers and Switches\n                             Jeopardize Sensitive Taxpayer Information\n\n\n\nThe IRS Enterprise Networks organization is responsible for installing, operating, and\nmaintaining routers and switches5 for a majority of the IRS. Within the Enterprise Networks\norganization, the Network Management Control Center serves as the Program Management\nOffice and central support center for the IRS network environment throughout the United States.\nIts responsibilities include authorizing and authenticating persons accessing routers and switches,\nmonitoring activity on the network, and ensuring that routers are properly configured.\nThis review was performed at the IRS offices in New Carrollton, Maryland, within the Enterprise\nNetworks organization during the period January through November 2007. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objective. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective. Detailed information on our audit objective, scope and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n5\n The IRS Criminal Investigation Division, Office of Chief Counsel, Office of Appeals, and Statistics of Income\norganization manage routers and switches for their own networks.\n                                                                                                          Page 2\n\x0c                       Inadequate Security Controls Over Routers and Switches\n                             Jeopardize Sensitive Taxpayer Information\n\n\n\n\n                                    Results of Review\n\nAccess Controls Over Router and Switch Administration Were Not\nEffective to Control Unauthorized Use\nAuthorizing and authenticating access to routers and switches are critical for deterring\nunauthorized use. Fundamentally, managers must ensure that only those people who have a\nlegitimate business need can gain access to the devices. The IRS created the Online 5081\nsystem6 in June 2002 to authorize employees and contractors to access its computer systems,\nincluding routers and switches. It uses the Terminal Access Controller Access Control System\n(TACACS+) to authenticate users on routers and switches. This System uses a security\napplication that requires users to enter an account name and password before gaining access.\nAt the time of our review, the IRS had authorized 374 accounts for employees and contractors\nthat could be used to access routers and switches to perform system administration duties. Of\nthese, 141 (38 percent) did not have proper authorization to access the TACACS+.\nAuthorizations for 86 of the 141 employee and contractor accounts had been provided on some\nprior date, but the authorizations had expired at the time of our review. However, we could not\nfind that the other 55 employee and contractor accounts had ever been authorized to access the\nSystem. We are particularly concerned that 27 of the 55 employees and contractors had accessed\nthe routers and switches to change security configurations.\nWe also identified weaknesses in the TACACS+ controls used to authenticate users. Nine\naccounts were still active, although the employees and contractors had not accessed the System\nfor more than 90 calendar days. The System should have been configured to automatically\nprevent these users from accessing the routers and switches after 90 calendar days. In addition,\nthe system administrators circumvented authentication controls by setting up 34 unauthorized\naccounts that appear to be shared-user accounts. Any person who knew the passwords to these\naccounts could change configurations without accountability and with little chance of detection.\nFor this reason, the IRS requires that shared accounts be used only on a limited basis and that\nthey be subjected to special authorization controls. However, during Fiscal Year 2007,\n4.4 million (more than 84 percent) of the 5.2 million accesses to the TACACS+ were made by\nthe 34 unauthorized user accounts. None of the accounts were properly authorized.\n\n\n\n\n6\n  The Online 5081 system was named after the Information System User Registration/Change Request (Form 5081)\nthe IRS uses to request and authorize user accounts for employees on all systems. The Online 5081 system\nautomates some of the manual processes and provides a centralized system for all system access authorizations.\n                                                                                                       Page 3\n\x0c                    Inadequate Security Controls Over Routers and Switches\n                          Jeopardize Sensitive Taxpayer Information\n\n\n\nWe are very concerned that authorization and authentication controls are weak on devices as\nsensitive as routers and switches. A disgruntled employee, contractor, or hacker could\nreconfigure routers and switches to disrupt computer operations and steal taxpayer information in\na number of ways, including diverting information to unauthorized systems. The Treasury\nInspector General for Tax Administration is continuing to review security whether configuration\nchanges were appropriate and warranted.\nIRS managers of router and switch administrators did not carry out their responsibilities for\nauthorizing access to only those employees and contractors who needed it to carry out their\nresponsibilities. Neither the managers nor the staff at the Network Management Control Center\nreconciled the Online 5081 system information with TACACS+ user accounts as required. This\nreconciliation would have found a majority of the weaknesses we identified. None of the IRS\nmanagers we contacted stated they were responsible for administering router accounts once they\nforwarded authorizations to the Network Management Control Center. They stated they believed\nthe administration of the router and switch user accounts was solely the responsibility of others.\nTACACS+ administrators were able to make configuration changes to bypass the authentication\ncontrols and set up shared accounts due to a lack of oversight by their managers and the Network\nManagement Control Center. Periodic testing of the routers and switches was insufficient to\nidentify these weaknesses.\n\nRecommendations\nThe Chief Information Officer should:\nRecommendation 1: Clarify responsibilities for reconciling user accounts on the TACACS+\nwith the Online 5081 system and ensure that the reconciliations are conducted routinely. The\nresults from the reconciliations should be used to ensure that only authorized employees and\ncontractors can access the TACACS+.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation.\n       The Network Management Control Center will begin monthly reconciliation of the\n       TACACS+ with the Online 5081 system and delete any TACACS+ accounts without an\n       associated Online 5081 system authorization.\nRecommendation 2: Improve the testing of authentication controls on the TACACS+ to\nidentify any configuration weaknesses.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       Enterprise Networks organization will run monthly tests of authentication controls,\n       including the control to ensure that the system locks accounts after three failed attempts.\n\n\n\n\n                                                                                           Page 4\n\x0c                         Inadequate Security Controls Over Routers and Switches\n                               Jeopardize Sensitive Taxpayer Information\n\n\n\nRecommendation 3: Ensure that the TACACS+ is configured to prevent employees and\ncontractors from gaining access to the routers and switches if they have not used the System\nwithin 90 calendar days.\n         Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n         Network Management Control Center will ensure TACACS+ accounts are locked after\n         45 calendar days of inactivity and removed from the System after 90 calendar days of\n         inactivity.\nRecommendation 4: Eliminate unnecessary shared accounts on the TACACS+ and ensure\nthat the remaining accounts are properly authorized and limited.\n         Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n         Enterprise Networks organization will ensure that no unauthorized or unnecessary shared\n         accounts exist on the TACACS+ and will review the use of shared accounts monthly to\n         ensure that the accounts are properly documented and authorized.\n\nAudit Trails Are Not Being Reviewed to Identify Questionable Activity\nIRS procedures provide that audit trail7 logs for all IRS systems and applications should capture,\nat a minimum, the following data for each security-related event:\n    \xe2\x80\xa2    Date and time the event occurred.\n    \xe2\x80\xa2    Unique identifier (e.g., user name, user identification number, application name) of the\n         user or application initiating the event.\n    \xe2\x80\xa2    Type of event.\n    \xe2\x80\xa2    Subject of the event (e.g., the user, file, or other resource affected) and the action taken\n         on that subject.\n    \xe2\x80\xa2    Outcome status (success or failure) of the event.\nThe review of audit trails is necessary to detect potential security events such as hacking\nattempts, virus or worm infections and propagation, attempts to change or alter information, and\nother threats. The Modernization and Information Technology Services organization\nCybersecurity office has the responsibility to review audit trail information from the TACACS+,\nrouters, and switches at least weekly. In addition, the Cybersecurity office must review audit\ntrail logs after any security incident. Analysis of audit trail events can also allow the\n\n\n\n7\n  An audit trail is a chronological record of activities that allows for the reconstruction, review, and examination of a\ntransaction from inception to final results. Audit trails can be used to detect unauthorized accesses to computer\nsystems.\n                                                                                                                 Page 5\n\x0c                     Inadequate Security Controls Over Routers and Switches\n                           Jeopardize Sensitive Taxpayer Information\n\n\n\nadministrators and the Network Management Control Center to identify nonstandard\nconfigurations that could lead to security vulnerabilities or disruptions to operations.\nFor routers and switches, audit trail information is obtained from two sources. The TACACS+\nrecords events such as password changes, failed attempts, commands entered, and configuration\nchanges and stores them in its database, where reports can be generated and reviewed. In\naddition, the router and switch devices can generate daily logs on security events, such as\nblocked information, failed logons, and attempted exploits. The data are sent to remote servers\nwhere they are stored. The TACACS+ audit trail log reviews were not being conducted by the\nCybersecurity office, and only a limited percentage of the audit trails for the IRS routers and\nswitches were being reviewed.\nIn addition, system administrators were not following IRS procedures that require an\nauthoritative IRS-wide time server for the purpose of synchronizing the system clocks of IRS\nsystems. Correct time zone settings are critical during audit trail reviews for detecting\ninappropriate traffic across the IRS network and for establishing a timeline in case of a\nmultifaceted attack on the IRS network. The time of attack can also be critical evidence in\ncriminal proceedings. We reviewed 169 configuration error reports for routers and switches and\nfound that 15 (9 percent) did not follow these procedures.\nInaccurate audit trails and inadequate monitoring of audit trail logs increase the likelihood that\nsecurity events will not be detected and that nonstandard configurations such as the\nauthentication weaknesses discussed earlier will not be identified. As a result, malicious persons\ncould exploit vulnerabilities in the routers and switches to gain unauthorized access to sensitive\ninformation and disrupt computer operations with little chance of detection.\nWe attribute the weaknesses in controls to detect unauthorized events to three main factors.\n   \xe2\x80\xa2   Audit trail logs on IRS routers and switches are capturing excessive amounts of data.\n       The routers were set at a level that logs day-to-day activities such as network session\n       logs. Not all logging messages at this level are necessary for detecting inappropriate\n       activity. In addition, the data maintained at this level require a substantial amount of disk\n       space for storage. To conduct effective reviews of audit trail logs, organizations must\n       choose the minimum level of audit trail information that is sufficient for review. When\n       an excessive amount of data is captured, reviewing the data can be too cumbersome.\n   \xe2\x80\xa2   The Cybersecurity office did not emphasize the need to receive and review the\n       TACACS+ audit trail logs. The Cybersecurity office did review audit trail logs for some\n       routers and switches, but not all of the logs were being forwarded to it by the Enterprise\n       Networks organization.\n   \xe2\x80\xa2   Configurations on routers and switches were not monitored to ensure that time zone\n       settings met IRS standards. The tool used by the IRS to test routers and switches was not\n       configured to track time zone settings.\n\n                                                                                             Page 6\n\x0c                    Inadequate Security Controls Over Routers and Switches\n                          Jeopardize Sensitive Taxpayer Information\n\n\n\nRecommendations\nThe Chief Information Officer should:\nRecommendation 5: Use available filtering techniques to limit the amount of audit trail\ninformation necessary for detecting inappropriate activity.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       IRS filters audit trail data in accordance with current guidance. The Enterprise Networks\n       organization will coordinate with the Cybersecurity office to evaluate other filtering\n       techniques to determine the benefit to its enterprise environment.\nRecommendation 6: Ensure that the Enterprise Networks organization provides the audit\ntrails for the TACACS+, routers, and switches to the Cybersecurity office for review and\nanalysis.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       Enterprise Networks organization will provide the Cybersecurity office access to the\n       TACACS+ audit logs and ensure that all audit log information is available for review and\n       analysis.\nRecommendation 7: Ensure that all routers and switches are configured to the same time\nzone. The use of one time zone across the entire nation would facilitate the tracking of network\nactivity and eliminate potential confusion due to different time zones and daylight savings time.\nAlso, time zone setting configurations should be included in testing scripts (programs) to ensure\nthat they are set accurately.\n       Management\xe2\x80\x99s Response: IRS management agreed with this approach. However,\n       the Enterprise Networks organization believes such an undertaking presents several\n       complexities. The Enterprise Networks organization is evaluating the recommendation to\n       configure all routers and switches to the same time zone to determine whether this\n       approach is an appropriate enterprise solution and will document the results of the study.\n\n\n\n\n                                                                                           Page 7\n\x0c                    Inadequate Security Controls Over Routers and Switches\n                          Jeopardize Sensitive Taxpayer Information\n\n\n\n                                                                                   Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether controls were sufficient to detect\nand deter unauthorized use of IRS routers and switches, two key components used to direct\nnetwork traffic. To accomplish this objective, we:\nI.     Determined whether IRS guidelines, standards, and procedures are consistent with those\n       from the National Institute of Standards and Technology and the Department of the\n       Treasury and with industry standard practices.\nII.    Evaluated authorization and authentication controls for IRS routers and switches on the\n       internal network.\n       A. Determined whether all TACACS+ users had been properly authorized for access.\n       B. Determined whether TACACS+ users needed access to carry out their\n          responsibilities.\n       C. Evaluated the managerial review process to ensure that all user accounts were\n          necessary.\n       D. Determined whether each system administrator had his or her own unique account\n          and password for access to routers and switches.\n       E. Determined whether passwords for user accounts met IRS standards.\nIII.   Determined whether audit trails were created and reviewed to detect suspicious\n       transactions on routers, switches, and the TACACS+.\n       A. Reviewed the audit trail log settings on the TACACS+ to ensure that all appropriate\n          actions were logged.\n       B. Determined whether network administrators and/or the Cybersecurity office\n          examined audit trail logs on a regular basis.\n       C. Determined whether audit trail logs were securely stored.\nIV.    Determined whether routers and switches had been configured securely.\n       A. Obtained the weekly configuration error reports from February 12 to\n          March 12, 2007 (5 weeks) and analyzed the testing results to ensure that all devices\n          were tested and vulnerabilities were corrected.\n\n\n\n                                                                                           Page 8\n\x0c            Inadequate Security Controls Over Routers and Switches\n                  Jeopardize Sensitive Taxpayer Information\n\n\n\nB. Validated the adequacy of the configuration error reports by sampling routers and\n   switches from the March 12, 2007, error report to determine whether other significant\n   vulnerabilities existed and were not identified. A sample of 30 routers was\n   judgmentally selected from the 111 routers identified in the March 12, 2007, error\n   report. Judgmental sampling was performed for ease of use in selecting the sample.\n   All 17 switches identified in the error report were reviewed.\n\n\n\n\n                                                                                 Page 9\n\x0c                   Inadequate Security Controls Over Routers and Switches\n                         Jeopardize Sensitive Taxpayer Information\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nThomas Polsfoot, Audit Manager\nCharles Ekunwe, Senior Auditor\nCari Fogle, Senior Auditor\nEsther Wilson, Senior Auditor\n\n\n\n\n                                                                                     Page 10\n\x0c                  Inadequate Security Controls Over Routers and Switches\n                        Jeopardize Sensitive Taxpayer Information\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Acting Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDirector, Program Oversight OS:CIO:SM:PO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Controls OS:CFO:CPIC:IC\nAudit Liaison: Chief Information Officer OS:CIO\n\n\n\n\n                                                                       Page 11\n\x0c      Inadequate Security Controls Over Routers and Switches\n            Jeopardize Sensitive Taxpayer Information\n\n\n\n                                                   Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                          Page 12\n\x0cInadequate Security Controls Over Routers and Switches\n      Jeopardize Sensitive Taxpayer Information\n\n\n\n\n                                                    Page 13\n\x0cInadequate Security Controls Over Routers and Switches\n      Jeopardize Sensitive Taxpayer Information\n\n\n\n\n                                                    Page 14\n\x0cInadequate Security Controls Over Routers and Switches\n      Jeopardize Sensitive Taxpayer Information\n\n\n\n\n                                                    Page 15\n\x0cInadequate Security Controls Over Routers and Switches\n      Jeopardize Sensitive Taxpayer Information\n\n\n\n\n                                                    Page 16\n\x0cInadequate Security Controls Over Routers and Switches\n      Jeopardize Sensitive Taxpayer Information\n\n\n\n\n                                                    Page 17\n\x0c'